Environment
Novell NetWare 6.5
eDirectory 8.7.3
Situation
Key Material Object is expired
SSL Certificate is expired
Can't identify which SSL Certificates are expired or soon to
expire.
How to query the tree to locate SSL Certificates that have expired
or are close to expiring.
Resolution
1st Need to extend schema by adding two attributes as optionals to
the NDSPKI:Key Material object class
1. In ConsoleOne highlight tree and then open schema
manager under tools.
2. Select Class tab and go down to NDSPKI:Key Material
3. Select add and then under "available attributes"
select NDSPKI:Not After and NDSPKI:Not Before and select right
arrow to move these attributes to the "add these attributes"
window. Then click OK
or, in iManager under roles and tasks, choose Schema |
Add attribute. In the drop down box choose NDSPKI:Key Material and
then OK. Next under the "available optional attributes" select
NDSPKI:Not Before and NDSPKI:Not After and move these to the "Add
these optional attributes" window. Then click ok.
After this is done force a schema sync by setting dstrace
= on, set dstrace = +schema, set dstrace = *ssa and then ensure
that there are no errors on the directory services screen.
2nd part of the fix is an updated pki.nlm version 2.77. This is
included with edir8736 update. It is located in the
/security/secupd directory. It is possible to just install the
secupd piece which has it's own secupd.ips file seperate from the
nds installation. (although it is recommended to update edirectory
as well) Once you have installed this through nwconfig, reboot the
server.
Once the server comes back up, when pki loads a check
will be run on all the KMO's in the container where the server
object is located (server with the pki.nlm version 2.77) and add
the attributes NDSPKI:Not Before and NDSPKI:Not After to all the
KMO's. To get the kmo's in other containers updated, at least one
server in those containers will also need to be updated. You can
check this through dsbrowse, Consoleone, iManager, etc...looking at
an existing SSL Certificate and verifying that the attributes,
NDSPKI:Not Before and NDSPKI:Not After are present. The Not Before
is the date the SSL Certifcate was created and the Not After will
have the value of when the certificate expires.
Additional Information
Now that these attributes are present on the KMO's. An ldif can be
ran to export all KMO's and their creation and expiration. Take
note that when you add these attributes to the export criteria they
have to be exact. They syntax should look like the following:
nDSPKINotAfter
nDSPKINotBefore
An example of the exported ldif would have all ssl's in
an output like this:
dn: cn=SSL CertificateIP - FS1,ou=servers,o=novell
changetype: add
nDSPKINotAfter: 200611121824
nDSPKINotBefore: 200411121824
Once it is determined which certificates are expired or soon to
expire, there are multiple ways to remedy the situation. On Netware
pkidiag can be used. More information on using this tool can be
found in tid 10095905.
iManager 2.5 or later can also be used and may be the more
convenient option. Through Novell Certificate Server | Create
Default Certificates task, a list of servers can be defined with
the option to overwrite the chosen server's default certificates.
This is also useful as it gives a summary screen breaking down by
server the success or failure of each certificate creation attempt.
In order to see the Create Default Certificates task the latest
pki.npm will need to be installed. So the minimal version that will
need to be applied is 3.1.20060109. This can be obtained at https://download.novell.com. Search for Novell
iManager in the drop down box and then search for pkis on this
page.
Default Certificates would be the following:
| IP AG |
|
|
| SSL CertificateIP - |
|
|
| DNS AG |
|
|
SSL CertificateDNS - Additional steps may be required for for applications that
import edirectory certificates into a file file format or
keystore. |
|
|
Formerly known as TID# 10097442